I have an AWS EC2 instance, running Amazon Linux, that has two Elastic Network Interfaces (ENIs) attached: eth0 and eth1. I am connecting to the public IP on eth0. Everything works great, except I would like to route unencrypted traffic out of the eth1. i.e. Client connects to eth0 to setup an encrypted VPN tunnel, then his/her unencrypted internet traffic is routed in/out of eth1 and back across the tunnel on eth0.
I don't know enough about iptables to get this config working, despite trying for several hours. I'm hoping this is a simple one?
I've installed the latest version of OpenVPN from source and done the following:
- Disabled source/dest check on the interfaces
- Added the following to "rc.local":
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
- Added the following iptables commands:
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.18.14.0/24 -o eth0 -j MASQUERADE
My server config file looks like this:
port 443 proto tcp-server dev tun tls-server server 10.18.14.0 255.255.255.0 ca /etc/openvpn/pki/ca.crt cert /etc/openvpn/pki/vpnserver.crt key /etc/openvpn/pki/vpnserver.key dh /etc/openvpn/pki/dh.pem ifconfig-pool-persist ipp2.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 15 comp-lzo max-clients 5 persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn_road.log verb 6 mute 20 tun-mtu 1500 auth SHA1 keysize 128 cipher BF-CBC
You need to setup routing, your rules look ok but you need to change the MASQ rule.
I would also suggest some simpler rules for your originating packets.
Now as for the routing I assume you only want the OpenVPN clients to exit via eth1 and not the server it self that I presume has it's default route via eth0. We need to create a new routing table for your OpenVPN clients, we will call it ovpn-inet.
Edit
/etc/iproute2/rt_tables
, insert the following at the end and save.Then create
/etc/sysconfig/network-scripts/route-eth1
with the following content, replacing<gw on eth1>
and other attributes within<>
.Now create
/etc/sysconfig/network-scripts/rule-eth1
A suggestion would also be to switch OpenVPN to UDP for the sake of performance. This would also allow you to run a HTTPS server if you ever need it over TCP. Also consider using a
tls-crypt
in your OpenVPN server config as a simple way of doing a little hardening on your installation.Now restart your networking to make the changes in effect.